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Abstract —In this paper we provide secrecy metrics applicable 
to physical-layer coding techniques with finite blocklengths over 
Gaussian and fading wiretap channel models. Our metrics go 
beyond some of the known practical secrecy measures, such as 
bit error rate and security gap, so as to make lower bound 
probabilistic guarantees on error rates over short blocklengths 
both preceding and following a secrecy decoder. Our techniques 
are especially useful in cases where application of traditional 
information-theoretic security measures is either impractical or 
simply not yet understood. The metrics can aid both practical 
system analysis, and practical system design for physical-layer 
security codes. Furthermore, these new measures fill a void in 
the current landscape of practical security measures for physical- 
layer security coding, and may assist in the wide-scale adoption of 
physical-layer techniques for security in real-world systems. We 
also show how the new metrics provide techniques for reducing 
realistic channel models to simpler discrete memoryless wiretap 
channel equivalents over which existing secrecy code designs may 
achieve information-theoretic security. 

EDICS Category: COM-OTHS, INF-SECC 

I. Introduction 

Physical-layer security has attracted much attention of late 
as a means to provide a keyless layer of security using error- 
control coding and other physical-layer techniques such as 
intentional jamming Ill, O. While traditional information- 
theoretic secrecy measures have been the preferred vehicles for 
proving the worth of physical-layer security coding schemes, 
some channel models remain elusive to this type of analy¬ 
sis 0. In this paper, we provide two new security metrics that 
apply when blocklengths are finite (and especially when they 
are short), and when channel models are more representative 
of real-world environments. 

Coding techniques exist that can achieve strong secrecy, 
and even semantic secrecy over the binary erasure wiretap 
channel fH, but in the face of fading, jamming, and otherwise 
Gaussian noise, there remains a dearth of useful secrecy met¬ 
rics beyond simple bit-error rates (BER). The one exception is 
the security gap 0, which provides a measure on the required 
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signal-to-noise ratio (SNR) advantage over an eavesdropper to 
operate at acceptable error rates for friendly parties with an 
acceptable amount of security over illegitimate receivers. Our 
metrics go beyond security gap, so as to identify operable 
regions of SNR for which bit-error rates, even over a short 
number of bits, are guaranteed to be near 0.5. The basic 
premise of our techniques is to evaluate the distribution of 
error rates over a small number of bits, such as might be 
transmitted over a single packet, or within a single coded 
word, and to make guarantees not only on the mean of the 
distribution, but rather on, e.g., the 10th percentile or even 
the 1st percentile of the distribution. A proper tool that allows 
us to make these claims is the simple cumulative distribution 
function (CDF) of the error rate over short blocklengths. 
As one considers percentiles closer to zero, the guarantees 
of our secrecy metrics are such that every small block of 
transmitted data either fails to be decoded (for the first metric), 
or achieves decoder output bit-error rates greater than 0.5 — (5 
(for the second metric). These metrics fill a void in the current 
landscape of security measures for secrecy codes, and find 
immediate application in real-world environments. 

Consider the wiretap setup as depicted in Fig. where 
the receiver chains for both a legitimate receiver Bob and an 
eavesdropper Eve are pictured. We consider here a possibly 
concatenated coding system, where the outer code is for 
security (and may consist of any number of coding operations 
as indicated), and the inner code is for reliability. Based on 
early work over the wiretap channel (6), 13 , we know that 
there exists a supremum of achievable rates such that both 
security and reliability can be attained. This rate is called the 
secrecy capacity Cg. Unfortunately, the grand majority of all 
currently known explicit secrecy codes do not provide both 
reliability and security, but rather offer security as long as 
the legitimate receiver’s channel is noiseless. Explicit code 
constructions that are exceptions to this rule require that the 
eavesdropper’s channel is degraded from the main legitimate 
receiver’s channel, and only work for discrete memoryless 
channels m One possible framework for extending these 
results is to employ a concatenated coding scheme as we 
illustrate in Fig. It should be noted that the inner code in 
this figure is marked as optional, and if it is removed, then 
the model reduces to the traditional wiretap channel model i). 
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Thus, although we are considering our new metrics in cases 
where concatenated codes are used, they remain applicable 
to the general wiretap case. We note the transmitter Alice 
encodes a message through all stages of the encoder to produce 
a length-n codeword which is transmitted over the wiretap 
channel. Bob and Eve observe their respective signals 
and and both attempt to decode the message, perhaps 
producing respective message estimates M and M. 


A. An Example 

As a simple example, consider the case where the outer code 
is just a scrambler, implemented by multiplying the binary 
length-/c message M by a /c x /c binary matrix that is invertible 
in GF{2) at the encoder and its inverse at the decoder. Let’s 
assume that the inner code is a t-error correcting code, such 
as a BCH code. If the channel is a Gaussian or a fading 
channel, then an information-theoretic security analysis may 
prove difficult. The alternative is to simulate the concatenated 
coding scheme at the decoder so as to obtain some guarantee 
on BLR. When this is done, simulations are typically averaged 
over thousands of runs to obtain an average BLR, and although 
the analysis is simulation driven, the results still only hold 
asymptotically as blocklengths become very large, just as in 
an information-theoretic analysis (if it’s even possible). 

We wish to provide probabilistic guarantees of decoder 
failure and guarantees of low statistical dependence between 
the message M and an eavesdropper’s decoder output message 
M. Despite the fact that BLR has several shortcomings as 
a security metric, it can still be used effectively to estimate 
decoder outputs when the eavesdropper’s attack strategy is 
known. Our metrics strengthen this approach by considering 
the entire distribution of possible error rates. In Fig. we show 
the BER both before and after the scrambler in a receiver, 
and as expected the descrambling operation propagates errors 
into the message estimate. However, if we’d like to guarantee 
error rates close to 0.5 in all k-hit message estimates at the 
eavesdropper, it is necessary to consider the entire distribution 
of error rates over a blocklength of data. We see curves for 
PT{Pb > 0.5 —(5) in the figure, where Pb can be used to model 
the proportion of bits in error over one block of k bits either at 
the input or at the output of the outer decoder, and is a point 
estimator of the true bit error rate P 5 . To be more specific, let 
P be a random variable that represents the number of bits in 
error over k bits either at the input or the output of the outer 
decoder. Then 

A = (1) 

and is coincidentally the maximum likelihood estimator for the 
bit error rate Pb given k independent observations El. While 
the errors in k received bits comprising a single transmitted 
codeword are likely not independent at the output of a decoder, 
we will address this concern later in Section|V] Notice in Fig.|^ 
that if we want Pr(P 5 > 0.5 — (5) after the decoder to get close 
to one, then we need to allow 6 > 0.15 for this scheme, and 
somehow ensure that Eve’s Eb/No is no better than 3 dB. 
Also note that we use this simple example to showcase the 
general applicability of the new metrics, as comparing error 



Fig. 2. New security metrics for a simple system where the outer code is a 
scrambler and the inner code is a BCH(127, 64) code. BER curves are given 
in blue with no markers, and Pr(P 5 > 0.5 —(5) curves are given with markers 
as indicated to identify the values of 6. Solid lines indicate the location is 
before the outer coder, while dashed lines indicate the location is after the 
outer coder. 


rates before and after the outer decoder gives one method 
for quantifying the contribution of the descrambler to the 
data received by the eavesdropper, but we are not proposing 
scrambling with BCH codes as a security solution. 


B. Outline 

Throughout this paper, we will let SNR designate the signal- 
to-noise ratio as measured by the channel, meaning the energy 
per transmitted bit over the noise power spectral density 
Nq. Eb/No will be the energy per information bit divided 
by Nq. The two are related by the overall rate R of the 
concatenated coding scheme so that SNR = REb/No for 
BPSK transmission. 

The rest of the paper is organized as follows. First, we 
survey the landscape of secrecy metrics for physical-layer 
security coding schemes in Section |n| We then point out some 
shortcomings and motivate the need for additional practical 
metrics in Section |I^ Since the main contribution of this paper 
is the introduction of new secrecy metrics, these two sections 


are absolutely crucial. In Section III we also highlight the 
cases for which our metrics are superior to both information- 
theoretic and BER-based existing metrics, and point out their 
limitations. Sections IV and [V| provide our new metrics BE- 
CDF^^ and BER-CDF^^, respectively, with definitions and 
clarifying examples. Finally, we show a use case of these 
metrics in a more complicated concatenated coding scheme in 


Section VI and indicate how the scheme may be used directly 
for secrecy, or used to provide a discrete memoryless wiretap 
channel equivalent over which additional secrecy codes may be 
used to achieve information-theoretic security. We offer some 


comments by way of conclusion in Section VII 


H. Secrecy Metrics 

The secrecy metric space has progressively become more 
dense, particularly over the last few decades. The initial 
secrecy coding metric posed by Shannon in the late 1940’s 
was that of perfect secrecy O. A code is said to achieve 
perfect secrecy if 


/(M;X^) = 0, 


( 2 ) 
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Fig. 1. Wiretap channel model assuming a concatenated coding scheme, where the outer code is for secrecy and the inner code is for reliability. Note that the 
inner code is marked as optional, and if it is removed, then this model reduces to the traditional wiretap channel model. The new metrics presented in this 
work are BE-CDF^*^ (where he indicates before code), and BER-CDF®*^ (where ac indicates after code). 


or, alternatively, if the equivocation H{M\X^) is equal to the 
entropy of the message H{M). Perfect secrecy indicates that 
the coded message tells you nothing about the message itself. 
Shannon introduced the notion through the coding scheme of 
the one-time pad, and promptly proved that it was impossible 
to achieve perfect secrecy in a scheme where the entropy of a 
secret key is not at least as much as the entropy of the message 
itself, making the notion completely impractical. 

In the mid-seventies, Wyner introduced an additional 
metric for secrecy that is known today as weak secrecy. A 
scheme is said to achieve weak secrecy if 

lim - J(M; Z”) = 0. (3) 

n^oo fi 

This metric introduced the idea of coding for secrecy in earnest 
because the results indicated that it was actually possible to 
achieve weak secrecy in a practical system. After all, this 
criterion does not require that the coded message leaks 
no information about M, but rather that the eavesdropper’s 
observation must leak a sufficiently small amount of 
information about M such that the 1/n factor can still drive 
the quantity to zero. With this new notion of secrecy, came 
the idea of secrecy capacity Cs which was originally defined 
as the supremum of coding rates that can achieve weak 
secrecy against a passive eavesdropper as a function of the 
wiretap channel parameters, while maintaining arbitrarily low 
probability of decoding error at the legitimate receiver. As long 
as the legitimate parties are able to leverage an advantage 
over the eavesdropper so that the effective main channel is 
less noisy m than the eavesdropper’s channel, then Cg > 0, 
which indicates that private communications are theoretically 
possible. 

Weak secrecy was shown to be insufficient in many 
cases cni, and Maurer later defined a stronger metric known 
as strong secrecy HD, where a scheme is said to achieve 
strong secrecy if 

lim /(M; Z^) = 0. (4) 

n^oo 

It was recently noted in ifT^ that even strong secrecy may 
not be sufficient for some applications because the assump¬ 
tion is often made that message symbols are random and 
uniformly distributed over the message alphabet. Of course. 


in cryptographic scenarios, the messages are never perfectly 
random and uniform, and it is known that in practice there 
really is no universal compression algorithm that can provide 
such messages at the input of secrecy encoders. Thus, we have 
an even stronger notion of secrecy called mutual information 
security which is achieved if 

lim max{/(M;Z^)} = 0. (5) 

n^oo Pm 

Here we maximize /(M; Z'^) over all possible message distri¬ 
butions Pm • It is also shown in na that this notion of secrecy 
is equivalent to distinguishing security and semantic security. 

Although it took over 30 years after Wyner introduced 
weak secrecy for an explicit code design to emerge that could 
achieve it Ha, it has already been shown that codes exist 
that can achieve both strong and semantic secrecy, albeit over 
simple wiretap channel models El, ca, and surprisingly, the 
secrecy capacity defined using strong or semantic security 
is provably the same as that defined by the weak secrecy 
metric d, 0. 

Although this list of information-theoretic measures is 
impressive, there remain several wiretap channel models 
that have proved elusive to explicit code designs where 
information-theoretic security can be guaranteed. Thus, over 
channels that are more representative of real world commu¬ 
nications, such as the Gaussian wiretap channel or fading 
channel scenarios, there have been additional security metrics 
developed. For example, the authors in 0, ca used bit-error 
rate (BER) at the output of a decoder as a more practical means 
of security measure. This metric can be simulated in a straight¬ 
forward manner, just as is done for traditional error-correcting 
codes. The authors in 0 developed a new secrecy metric by 
identifying a target BER for the legitimate receiver, as well as 
a target BER for an eavesdropper, and found the SNRs that 
would achieve each of these targets. The security gap was 
then defined as the difference between these two SNR values 
in dB (or a ratio of the two linear values). The security gap 
tells a designer what the required advantage is for obtaining 
the desired security and reliability performance, and threshold 
operating points for achieving both. 

Authors in ca studied coding mechanisms that provided 
degrees of freedom in an eavesdropper’s decoder output, where 
no information about certain bits could be obtained, forcing 
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an attacker to guess the bits associated with the degrees 
of freedom in the decoder. This notion was similar to an 
information-theoretic security approach in the sense that the 
information could not be attained through any degree of 
processing, but was also very much unlike an information- 
theoretic security approach because it restricted an attacker to 
a specific attack strategy. 

III. Shortcomings of Current Security Metrics 

The metrics of the previous section give many tech¬ 
niques for analyzing the security achieved by specific coding 
schemes. Developing wiretap codes that are able to reach 
the envisioned secrecy capacity for more practical chan¬ 
nel models remains a formidable challenge, and perform¬ 
ing the information-theoretic analysis is oftentimes deemed 
intractable. The information-theoretic measures are still the 
most desirable where possible to apply, but they also have 
another weakness in the sense that they lead to codes that 
are designed to meet a secrecy criterion in an asymptotic 
blocklength regime only, thus limiting their applicability in 
real systems that require short blocklength codes. 

On the other hand, one should be careful when performing 
security analysis that relies only on BER-based measures, 
because high error rates do not necessarily indicate that some 
information has not been leaked. In fact, modem cryptography 
is based on computational security that does leak the informa¬ 
tion about the message. These systems work not because of an 
information-theoretic guarantee, but rather due to there being 
no known computationally efficient algorithm that can find the 
solution in any reasonable amount of time with any realistic 
amount of computing power unless the key is known. Thus we 
see that despite not achieving an information-theoretic security 
measure, cryptosystems remain useful because they attain 
security in a more practical/applied sense. In a similar way, 
BER security analysis assumes the best known decoder/attack, 
and makes calculations assuming an eavesdropper uses that 
attack. While BER may provide some useful information about 
the quality of the received data or the decoder output at the 
eavesdropper, BER calculations are still made by averaging 
large amounts of data, and are therefore only reliable as 
blocklengths get large. 

The metrics we introduce over the next two sections of this 
paper take a BER approach, but rather than calculating simple 
averages, make use of our knowledge of the CDE of bit error 
rates over small blocks of data to provide lower bounds on 
error rates through the receiver decoder chain. Making this 
fundamental change in how BER is used to analyze security 
in a system, allows us to make stronger guarantees about the 
performance of secrecy codes in the short blocklength regime. 
This is something that none of the metrics in Section |I^ can 
provide due to the way the analysis is completed either as 
blocklength goes to infinity, or as simulations are averaged 
over thousands of independent runs. Using the new metrics, 
we also maintain the ease of simulation-based characterization 
of security (which is particularly helpful when realistic channel 
models are considered, where it is not known how to provide 
an information-theoretic analysis). Table |T| outlines the utility 



Eig. 3. Bit error probability and probability of having fewer than or equal to 
10 errors for an AWGN channel with BPSK modulation. 

of each currently known physical-layer security metric, and 
indicates the contribution of our new metrics lies in ease of 
computation and providing the strongest guarantee yet for 
analyzing finite blocklength code designs. 

IV. The Bit Error-Cumulative Distribution 
Eunction 

Let us consider an AWGN channel with BPSK modulation, 
for which the BER (depicted in Eig. is given by nil 

Pb = ierfc (VsNr) . (6) 

A t-error correcting code of length 127 that is able to correct 
up to 10 errors can recover from a BER of ^ 0.079 

assuming uniform error distribution, but errors over short 
blocks of data are not guaranteed to occur so uniformly. Let 
E be the number of bit errors in a block of n bits. Eor 
a transmitted word of size n with independent bit errors, 
the probability of having fewer than or equal to t errors, 
Fi{E <t) can be straightforwardly obtained from as 

pt{e <t) = Y, (f) nil - n)’^“i (7) 

Let us now consider two operating points of Eig.[^ (a) SNR = 
0 dB that leads to a BER close to the 0.079 that the code 
supports, and (b) SNR = —3 dB, that leads to a BER « 0.16. 
Looking at Pr(E' < 10) in the same figure, for SNR = 0 dB 
we have Ft{E < 10) « 0.58, meaning that the code would 
still succeed more than half of the time. Eor SNR = —3 dB, 
we get Ft{E < 10) « 0.006, which indicates that the decoder 
will fail over 99% of the time, yet with a BER far from 0.5. 
Also note that the curve for Ft{E < 10) approaches zero for 
low SNR values, with the BER still far from the idealized 0.5 
value. With this in mind, the question arises of how close to 
BER= 0.5 is close enough for security purposes? 

To address this issue, we look to the distribution of errors 
of transmitted data and propose the first of two new secrecy 
metrics. 

Definition 1 (Bit Error Cumulative Distribution Eunc¬ 
tion). The bit error cumulative distribution function, BE- 
CDE^^(t, SNR, Sm, Ci), gives us the probability of having 








TABLE I 

Summary of current physical-layer security metrics, highlighting some oe their pros and cons. Here we see that although our 

NEW METRICS CANNOT PROVIDE INEORMATION-THEORETIC SECURITY, THEY ARE BEST IN CLASS AMONG THE ERROR-RATE SECRECY METRICS. NOTE: 

W.P. MEANS with probability. 


Class 

Metric 

Directly applicable 
to short codes 

Easily computable 
in general 

Information-theoretic 
secrecy guarantees 

Strongest 
in class 

Achievable 
in practice 

Impractical 

Perfect Secrecy 

Yes 

No 

Yes 

Yes 

No 

Info-theoretic 

Weak Secrecy 

No 

No 

Yes 

No 

Yes 

Info-theoretic 

Strong Secrecy 

No 

No 

Yes 

No 

Yes 

Info-theoretic 

Semantic Secrecy 

No 

No 

Yes 

Yes 

Yes 

Error rate 

BER 

No 

Yes 

No 

No 

Yes (BER Pe 0.5) 

Error rate 

Security gap 

No 

Yes 

No 

No 

Yes (security gap < 0 dB) 

Error rate 

BE-CDF'"' 

Yes 

Yes 

No 

No 

Yes (decoder failure w. p. 1) 

Error rate 

BER-CDF''^ 

Yes 

Yes 

No 

Yes 

Yes (high error rates w. p. 1) 


t or less errors, Pr(£’ < t), as a function of the SNR for a 
message of size Sm, encoded with a code Ci (refers to the 
optional inner code). 

From this metric we can deduce the probability of having 
more than t errors in a block of data, giving us the power to 
predict the likelihood of decoder failure when the code is a t- 
error correcting code such as a BCH code. This information is 
useful for identifying acceptable SNR operating points for both 
friendly parties and eavesdroppers im. Notice from Fig. 
that we measure this metric before the outer code (hence the 
superscript be) in a concatenated coding scheme, i.e. prior 
to the secrecy code. Because of this, we choose to use SNR, 
rather than Ei^/Nq to show the results, although the conversion 
can be made if desired. 

A. Analysis 

This metric can also be used to fine tune the security 
and reliability levels of a coding scheme that relies on t- 
error correcting codes. For example, if we assume no inner 
code and set the outer code to a BCH(127,64) code that 
corrects up to 10 errors, and if we want a reliability level 
of Ft{E < 10) > 0.99, Bob would have to operate at an SNR 
above 1.95 dB as indicated in Fig.[^ For a confidentiality level 
of 0.99, i.e. Ft{E < 10) < 0.01, Eve would need to operate 
at SNR below —2.78 dB. 

While relevant reliability and confidentiality levels with a 
reasonable SNR gap between Bob and Eve may seem illusive 
with simple coding schemes such as the mentioned BCH 
code, this metric enables the selection of f-error correcting 
codes that can be used in more evolved concatenated coding 
schemes combined with the generation of interference IT^ to 
provide desired levels of reliability and confidentiality, as will 
be described in Section lYll 

V. The Bit Error Rate-Cumulative Distribution 
Function 

The BE-CDF^^ allows us to guarantee failed decoding with 
high probability over certain SNR regions for t-error correct¬ 
ing codes. However, a failed decoder does not necessarily 
imply that the eavesdropper cannot obtain most of the message 
bits at the output. Hence, in this section we introduce a metric 
that can guarantee decoder failure with BER close to 0.5 in 


the estimated message bits to strengthen the security guarantee. 
For this section, let E), be the measured proportion of bit errors 
at the output of an error-correcting decoder measured over 
decoded message bits. For the case where the code being used 
is a block (n, k) code, it makes sense to let be an integer 
multiple of k. The metric we propose in this section allows 
a user to specify a required error rate at the output of the 
eavesdropper’s error-control decoder over Sh bits using the 
probability that Pb > O.b — 6 for any S desired. 

Definition 2 (Bit Error Rate-Cumulative Distribution Func¬ 
tion). The Bit Error Rate-Cumulative Distribution Function, 
BER-CDF^^((5, E})/No, Sb, C) is the quantity 

Pr(A > 0.5 - 6) (8) 

calculated over Sb estimated message bits for a code C as a 
function of Eb/No, where C may be the concatenation of an 
(optional) inner code Ci and an outer code Cq. 

We note that the ac exponent indicates that the metric is 
measured after the code. Since the inner code is shown to be 
optional in Fig. this is referring to the outer (secrecy) code. 
Also, because we are calculating this metric after the decoder, 
it makes sense to use Eb/No, rather than SNR. Finally, we 
should note that this metric is actually the complement to the 
CDF, but we choose to use a consistent nomenclature to that of 
the BE-CDF^^. These two metrics packaged in a pair provide 
valuable design information so as to achieve both reliability 
and secrecy. 

A. Analysis 

The BER-CDF^^ allows us to guarantee decoder failure 
with high probability in addition to high BER over short 
blocks of Sb bits at the output of the decoder. Although the 
metric is not information-theoretic, it comes much closer to 
the information-theoretic definitions of secrecy than the BE- 
CDF^^ by limiting the amount of useful information to an 
eavesdropper (as tends to happen with high BER). That is, 
for a scheme that guarantees high BER using the BER-CDF^^ 
metric, it is unlikely that the decoder will fail and yet provide 
small BER at the output. Notice that this metric is also much 
more robust than simply considering the average BER, and 
examples are shown in the following section of the paper. 
Similarly as with our BE-CDF^^ metric, we now ensure that 
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Fig. 4. Depicts the BER-CDF®*^ metric Pr(P 5 > 0.5 — (5) for the 
BCH(127, 92) code for = 2x92 = 184 using L-order DPSK modulation. 
Notice that for some 6 values, the BER-CDF®*^ approaches one, where other 
curves appear to be bounded away from one. 

the entire distribution of BER values for a specific length of 
text Sb is within an acceptable security region. 

Recall that is the estimator of the error rate at 
the output of the final decoder over a short blocklength of 
Sb bits. If we assume that each bit at the output of the 
decoder is in error independently with probability Pb, then the 
random variable Pn = SbPb models the number of errors in a 
block of Sb bits, and is distributed according to the binomial 
distribution with parameters = Pb, and = SbPb{^ — Pb)- 
This means we can calculate the metric exactly as 

Pr(A > 0.5 -S)= Pr[Pn > Sb{0.5 - ^)] 

L5f,(0.5-(5)J 

= 1 - E 

x=0 ^ ^ 

(9) 

Although the exact expression can be derived in this case, the 
assumption of i.i.d. errors is not likely to hold in practice, 
Pb may be unknown, and the calculation itself would be time 
intensive, or require approximation using the Gaussian distri¬ 
bution O. Thus, in practice, it makes more sense to calculate 
the metric using straightforward Monte Carlo simulations. 

By way of example, consider Pr(i\ > 0.5 — (5) as plotted 
for a BCH(127,92) code as the outer code with several varying 
sets of parameters as portrayed in Fig. Each case presented 
uses = 92 X 2 = 184 so as to allow a L = 4 order 
modulation scheme without zero-padding. The modulation 
scheme was chosen arbitrarily to be differential phase shift 
keying (DPSK), and is either binary or quaternary as indicated 
in the legend. Beyond this, we consider different S values 
as shown. Although there exist Eb/No values for which the 
decoder fails with probability close to one, unless the resultant 
BER is greater than (0.5 — (5) with high probability, the metric 
will not approach one in the limit as Eb/No — oc. 

Notice that the value the BER-CDF^^ approaches as 
Eb/No — oo is strongly linked to 6, which makes perfect 
sense. As S grows, it is more possible to fit the entire distri¬ 
bution of BER above the {O.b — 6) threshold. This observation 
indicates that for any particular coding scenario, there may 
in fact exist a minimum 6 for which the BER-CDF^^ can be 
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Fig. 5. Limiting value of the BER-CDF“^ metric as Eb/No goes to —oo as 
a function of S and Sb- 

made to go to one as Eb/No — oo. Also notice in Fig. 
that increasing the order of the digital modulation scheme can 
bring about an effective shift towards better security. When 
Pr(p 5 > 0.5 — ^) is bounded away from one, we are viewing 
the random corrective capabilities of the code even when the 
signal is completely overwhelmed by noise. Certainly, we can 
do better by increasing Sb or the dimensions of the code as 
well, but the utility of this metric is that we can get a clear 
picture for what happens when Sb is small, thus providing 
small blocklength security analysis in practical physical-layer 
security system designs. 

Let us consider the limiting value of the BER-CDF^"^ as 
Eb/No —> —CO. Clearly this quantity is a function of 5 and 
Sb, and can be calculated by recognizing that Pb is a sample 
mean of Bernoulli random variables Xi where 

1 if bit i is in error, 

0 otherwise. 

Let Pr(A^ = 1) = as before. Then specifically, 

^ Sh 

A = (11) 

i=i 

and by the central limit theorem Pb ^ ^{Pb, 

Clearly, this is true in the limit as Sb gets large, but even 
for small and moderate blocklength sizes, the central limit 
theorem still provides a good approximate distribution. 

In the limit as Eb/No —oo, we also have Pb -> 0.5, and 
Pb ^ A/'(0.5, Using the classic Gaussian standardization 
technique IH, we find that 

lim Pr(A > 0.5 - (5) = Q (-25^/^) . (12) 

Eb/No^-oo V / 

This limiting value of the BER-CDF^^ is shown in Fig. 
over a range of 6 and Sb values. These results can aid system 
designers in choosing Sb (or k) in outer codes appropriately 
so as to supply a desired BER-CDF^^. Once Sb is chosen, 
we also have a best possible value for the metric over which 
any coding scheme can be compared. One characteristic of 
good secrecy codes is that they will transition from zero to 
the limiting value in this metric over a very short range of 
Eb/No. 
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In this section, we show how the concatenated coding 
system from (TEl measures up using the two new metrics, and 
discuss the utility of the system as a result of its BE-CDF^^ 
and its BER-CDF^^ curves. It should also be noted that ina 
goes through a design process based on the BE-CDF^^ for this 
coding scheme. Although we do briefly outline the scheme 
and one possible design process here, the interested reader 
is directed to the original work for further details. Finally, 
we indicate how our new metrics may be combined with 
this coding scheme to provide effective discrete memoryless 
wiretap channel equivalents over which other secrecy coding 
schemes may be implemented to achieve information-theoretic 
security. 

A. System Setup 

The system analyzed in this section follows the general 
concatenated coding framework outlined in Fig. The outer 
code can actually be considered as two encodings, where the 
message is interleaved according to a secret key K (drawn 
from the space of possible permutations on Sm input message 
bits), and the key is encoded separately from the message 
using a BCH(127,64) code that is capable of correcting 10 
errors. The interleaved message and the encoded key are then 
appended together, and this constitutes the outer code. An 
LDPC(1056, 880) code is then used as the inner code, which is 
applied to the appended message and key to form a codeword 
suitable for transmission over a noisy channel. Recall from 
Fig. that the general concatenated framework is such that 
the outer code is intended to achieve the secrecy requirements 
of the system, while the inner code is used to achieve reliability 
for Bob. 

In this system, however, there is more at play than just the 
coding schemes. When the encoded data that are associated 
with the key K are transmitted over the channel they are 
intentionally jammed by some friendly network user with 
jamming power equal to a fraction a of Alice’s transmit power. 
The idea is to give Bob an advantage because of his location 
or knowledge of the jamming signal so that the jamming 
affects him only minimally, while an eavesdropper has no 
information about the jamming signal and/or is positioned 
in a geographic location that does not afford her the same 
advantage as Bob na, oa, noi. Since the jamming is only 
applied to the encoded bits associated with the interleaving 
key, reliability in the system also stems from Bob being able to 
recover the key for deinterleaving, while security in the system 
depends on Eve being unable to recover the interleaving key. 
Data are transmitted over a Gaussian wiretap channel using 
BPSK modulation. 

The receiving decoders at Bob and Eve apply a soft- 
decoding algorithm for the LDPC code, and the BCH decoder 
can then correct no more than 10 errors in the key bits. The 
goal is to reliably keep the errors at the output of the FDPC 
decoder at no more than 10 for Bob, and above 10 for Eve for 
each transmitted key block, as the key bits must be used to 
deinterleave the message bits at the flnal step of the decoder. 
The mapping of keys to interleavers is such that any errors in 



Fig. 6. BE-CDF^*^ calculated when t = 10 for three different effective 
jamming powers. These results anticipate the likelihood of decoder failure 
for Eve at a = 0.7 for a BCH(127, 64) code at around 0.9952 when Eve’s 
Gaussian channel has SNR = 4 dB. If Bob experiences an effective a = 0.2, 
then he can operate with BE-CDF^*^ = 0.9975 at 6.5 dB. 

the estimated key result in high error rates in the deinterleaved 
message, even when the interleaved message bits are recovered 
exactly (Tsl. 

B. Direct Results 

Our two new metrics paint a complete picture of how this 
system will respond for both Bob and Eve, thus providing 
security analysis and system design constraints. The BE- 
CDF^^ will show us the operating point for Bob to attain any 
desired level of reliability, and will also show us how Eve’s 
decoding capability breaks down. The BER-CDF^^ will then 
further enlighten us as to where we truly wish Eve to operate 
so as to guarantee (with probability essentially one) high BER 
at the output of her decoder. Coincidentally, this analysis also 
allows us to identify the jamming power advantage required 
during key transmission for the system to be successfully 
deployed ITSl . 

Let us assume that the effective jamming to Bob is as = 
0.2, while the effective jamming to Eve is = 0.7 (we also 
include a = 1 in the flgures for instructional purposes). The 
BE-CDF^^ results apply to the BCH-encoded key bits and are 
given in Fig. where we see that if Bob wishes to attain 
an overall BER around 10“^, the system must be designed 
to guarantee a BE-CDF^^ value no lower than 0.9975. The 
interpretation of this value is that less than 1/4 of 1% of the 
transmitted key blocks should be decoded in error for Bob. 
Also according to Fig. Bob achieves this performance if 
the SNR over his Gaussian channel is 6.5 dB or greater. We 
also note that the BE-CDF^^ for Eve at an SNR of 4 dB is 
equal to 0.0048, meaning less than 1/2 of 1% of the time 
Eve will receive a key block for which she can correct all the 
errors if this BE-CDF^^ value can be maintained. 

To get the true feel for how Eve is affected by this scheme, 
however, we need to track the distribution of error proportion 
in Eve’s guess of the message bits as a function of Ei,/No 
using the BER-CDF^^ as depicted in Fig. [7] Here we see that 
for S = 0.05, we can attain Pr(P 5 > 0.5 — (5) = 0.995 at 
roughly Ei,/No = 4.7 dB, which corresponds to an SNR value 
of approximately 4 dB. These results indicate that for this 
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Fig. 7. BER-CDF®*^ given for two delta values along with the BER. These 
three curves are given for three different effective jamming powers, and show 
that if Eve experiences jamming power aE = 0.7, then her BER over 753 
message bits is guaranteed to be within 6 = 0.05 of 0.5 with high probability 
as long as her Ei^/Nq is no greater than 4.7 dB. This corresponds to an SNR 
value of approximately 4 dB. 

scheme, insuring that Eve cannot correct all errors in the key 
is in fact sufficient for insuring a high proportion of errors 
in Eve’s estimate of each short blocklength of message bits 
at the output of her decoder, which is exactly what we’d like 
to see in a practical physical-layer security scheme. Eor the 
sake of referring back to Eig. for the limiting value of the 
BER-CDE^*^ metric, Sb for this scheme is the dimension of the 
LDPC code (880 bits) minus the blocklength of the BCH code 
(127 bits), because the BCH code only encodes the key bits 
and the remainder of the bits in the dimension of the LDPC 
code are dedicated to the message. This yields 5^ = 753 bits. 

C. Creating a Discrete Memoryless Channel 

Explicit secrecy code constructions exist that can pro¬ 
vide information-theoretic security; however, only for discrete 
memoryless wiretap channels. As mentioned previously, cur¬ 
rently known designs require either a noiseless main channel 
for legitimate communication or a degraded wiretap channel 
for the eavesdropper lU. Thus, we have two possible research 
directions for making these designs more practical to real 
end users. Eirst, effort can be placed to design secrecy codes 
that operate over more realistic channels; and second, coding 
and/or signaling techniques may be leveraged to produce an 
effective wiretap channel GD over which we already know 
how to code for secrecy. In this section, we outline how our 
new metrics and the coding scheme explained in Section [VI-A| 
can be used to produce an effective discrete memoryless 
wiretap channel. 

Consider again the results shown in Eig. that indicate 
an eavesdropper experiencing jamming power aE = 0.7 and 
Eb/No = 4.7 dB over a Gaussian channel can expect error 
rates over 753-bit messages to have BER greater than 0.45 
with probability very close to one. Since the analysis was 
conducted over short block lengths, we offer not just an 
average BER, but rather a low estimate of the BER over the 
channel. We now consider applying one more code on the 
outside of the entire scheme described in Section |VI-A| as 
depicted in Eig. and modeling the remaining blocks as an 


effective binary symmetric channel (BSC). The additional code 
added is one that can leverage this effective channel to bring 
about an information-theoretic security result (e.g., (23). 

In order to claim that the interior blocks in Eig. [8] can 
truly be modeled as a BSC, we need to verify three main 
properties of the BSC in our system: (1) each bit should be 
erased independently from all other bits; (2) the probability 
p of flipping each bit over the channel should be identical, 
and we need to identify its value; and (3) we need to ensure 
that soft information about the bit is either not available or 
impossible to use at the secrecy decoder. 

To ensure that bits within message blocks retain their 
independence of being in error, as required by the BSC model, 
we need to apply an inter-block interleaver as the first subcode 
in the Outer Coder block in Eig. to spread information 
around as in fWi . ED and many other works. Although 
there may exist some correlations between Hipped bits over 
the same transmitted packet, since all bits from every secrecy 
codeword are transmitted in different packets over the channel 
we effectively deliver independence between the bits at the 
secrecy codeword level, which is where we need independence 
for the secrecy code to work properly. 

In terms of identifying the probability p that corresponds 
to the hipping of each bit over the channel, we’ll use the 
lower bound given by BER-CDE^^ as indicated above. By so 
doing, we provide an even stronger guarantee than identifying 
an average probability, since even short blocklengths maintain 
this probability of bit error with probability close to one. Bit 
error locations within secrecy codewords are kept uniformly 
random as a byproduct of the inter-codeword interleaving at 
the output of the secrecy encoder. 

Einally, we need to address this issue of soft information at 
the input of the secrecy decoder. Although soft information is 
technically available here, we must deduce whether or not the 
information is actually worth anything. In other words, what 
do log-likelihood ratios (LLRs) look like when the overall 
bit error rates at the output of an LDPC decoder are close 
to 0.5? LLRs can be approximated by Gaussian distributions 
with means centered at positive values if the bits should have 
a value of zero, and at negative values if the bits should 
have a value of one. The Gaussian approximation rule-of- 
thumb stems from the central limit theorem for likelihood 
ratios, where sums of random variables are calculated to 
give the ratio’s next iteration lEI, ESI. The distribution of 
LLRs corresponding to bits in error is always symmetric and 
centered at zero since the decision threshold at the end of 
the soft iterative decoding algorithm is positioned directly 
between the distributions of LLRs corresponding to differing 
bit values. When the SNR is small enough that the code 
doesn’t correct all the errors, distributions corresponding to 
bits in error and correct bits start to look very similar. In fact, 
when the noise completely overwhelms the coding scheme, 
each of these distributions tends to an approximate Gaussian 
distribution with mean zero and identical variances. It is this 
property that supplies an effective decoding threshold for 
iteratively decodable codes Gt). Einally, as the bit error rate 
(BER) approaches 0.5, the statistical difference between the 
distributions of LLRs for correct bits and bits in error becomes 

















IX 



tt 



Fig. 8. A concatenated coding scheme may be utilized to provide an effective discrete memoryless wiretap channel, over which known explicit secrecy codes 
may operate for information-theoretic security. 



Fig. 9. Kullback-Leibler divergence between distributions of LLRs that 
correspond to bits in error and LLRs that correspond to correct bits at the 
output of an LDPC soft decoder, as a function of the hard-decision BER 
at the output of the decoder. As the BER approaches 0.5, the distributions 
become more alike, to the point where detecting a correct bit or a bit in error 
is impossible, even with soft information. 


negligible. To demonstrate this, we show through simulation 
that the Kullback-Leibler (K-L) divergence 1^ between the 
two distributions approaches zero as the BER approaches 0.5, 
where the K-L divergence is given as 

D{p\\q) = J p{x)\og 2 ^^, (13) 

X 

and p{x) represents the distribution of LLRs for correct bits 
while q{x) represents the distribution of LLRs for bits in 
error at the output of a soft-information LDPC decoder. These 
results are given in Fig.|^ where we observe D{p\\q) going to 
zero with increasing BER. Recognize that D{p\\q) =0 implies 
that there is no statistical difference between p{x) and q{x), or 
that the distance between the two distributions is zero. It can 
be argued then, that as long as D{p\\q) is small enough, soft 
information at the output of an iterative decoder is unusable as 
it doesn’t accurately depict any type of relationship between 
a bit’s likelihood of being correct or in error. 


The end result is that our new metrics mixed with the 
scheme from CD can provide the effective channel model 
necessary for these information-theoretic designs to succeed. 
We see in m that one type of secrecy code that may be 
able to offer secrecy over this channel is that given in (221, 
where known advantageous (good for Bob, and bad for Eve) 
polarizations of bits in polar codes are used to transmit 
secret information over a symmetric eavesdropper’s channel. 
This coding scheme is known to achieve strong secrecy at 
information rates approaching the secrecy capacity when the 
legitimate channel can be modeled as noiseless. For our case 
(where we’ve assumed that aE = 0.7, as = 0.2, Bob’s 
SNR > 6.5 dB, and Eve’s SNR < 4 dB), supplying a 
probability of a flipped bit p = 0.45 over an effective BSC 
to an eavesdropper while maintaining an effectively noiseless 
main channel results in secrecy capacity Cg = Cm — Cw = P 
bits per channel use, where Cm and C^ signify the channel 
capacities of the main and wiretap channel, respectively la, 

(21, (H. 

The approach outlined here, where we manufacture a 
wiretap channel over which additional secrecy codes can be 
utilized, can be extended to produce other effective discrete 
memoryless wiretap channels as well that may form ideal 
backdrops for other code designs to operate in more realistic 
environments. 

VIE Conclusions 

In this paper we have discussed the landscape of physical- 
layer security coding metrics. We note that most measures 
in use today rely on information-theoretic analysis as block- 
lengths tend to infinity, or use mean BER, both of which 
give asymptotic results that have limited meaning for short 
blocklength codes. We have proposed two new metrics that 
effectively employ CDFs to provide a lower bound on the 
security levels based on BER. Such an approach provides a 
stronger guarantee of secrecy over realistic channel models 
than simply using mean BER to estimate performance, and yet 
our metrics retain their simplicity of calculation making them 
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directly adaptable to real-world communication systems. We 
have also shown how these new metrics may be used to reduce 
realistic channel model environments to simpler models over 
which known secrecy codes may be implemented to achieve 
information-theoretic security. 
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